Re: Path forward to get Guacamole working with AD LDAP?

Fri, 09 Aug 2019 14:43:58 -0700 

On 09/08/2019 22:02, surfrock66 wrote:


When the ldap-user-base-dn is the root of the domain, or the bind user is in
a different OU than the ldap-user-base-dn, the ldap plugin seems to have
issues.  Our domain is structured like this:

DC=AD,DC=DOMAIN,DC=org
|--OU=Office1
|    |--OU=Users
|--OU=Office2
|    |--OU=Users
|         |--CN=username
|--OU=Office3
|    |--OU=Users
|--OU=ServiceAccounts
      |--CN=svcLDAPLookup


That's broadly the same structure as my AD, in as much as

a) ldap-user-base-dn is the root of the domain
b) the ldap-search-bind-dn is not in the root
The only difference that leaps out to me is that my ldap-search-bind-dn is in the standard cn=users AD container (so a container rather than an OU) but that seems like an unlikely reason for your problem.
I am running an older version of guacamole, though, so it's entirely possible that the current release of the LDAP code differs from my installation. 


ldap-port:                            389



This results in the following errors, which are DIFFERENT than the
"referrals disabled" error from above:

ERROR o.a.g.auth.ldap.ObjectQueryService - Could not follow referral: null
The only possible lead I've come across there is if the server running guacamole uses different DNS servers to your AD, which might lead to the LDAP client (i.e. guacamole) being unable to resolve the referral it's issued with, e.g. https://confluence.atlassian.com/jirakb/user-lookups-fail-with-partialresultexceptions-due-to-active-directory-follow-referrals-configuration-235668642.html but that feels tenuous.
A possible workaround, depending on the structure of your domain/forest, could be to specify ldap-port: 3268 to query the GC rather than the domain, which (due to the pecularities of AD) means that no referral is returned in the first place. But that means a) you're querying the forest and not the domain, which in some setups will be undesirable, and b) masking the underlying problem rather than fixing it. 

Adam

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to